CVE-2024-10491
📋 TL;DR
This vulnerability in Express.js's response.links function allows attackers to inject malicious resources into Link headers when unsanitized user input is used. It affects applications that dynamically generate Link headers with user-controlled data. The vulnerability enables attackers to force browsers to preload harmful resources.
💻 Affected Systems
- Express.js
📦 What is this software?
Express by Openjsf
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject malicious scripts or resources that browsers preload, potentially leading to client-side attacks like XSS, data exfiltration, or malware delivery to end users.
Likely Case
Limited impact requiring specific conditions - attacker needs to control Link header content and victim's browser must support Link header preloading. Most likely results in client-side resource manipulation.
If Mitigated
With proper input validation and sanitization, the vulnerability has minimal impact as malicious payloads would be filtered before reaching the Link header.
🎯 Exploit Status
Exploitation requires attacker to control input to response.links() function. No public exploits known as of current information.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Express.js versions with proper input sanitization in response.links
Vendor Advisory: https://www.herodevs.com/vulnerability-directory/cve-2024-10491
Restart Required: Yes
Instructions:
1. Update Express.js to latest version. 2. Review all uses of response.links(). 3. Ensure user input is properly sanitized before passing to response.links(). 4. Restart application.
🔧 Temporary Workarounds
Input Sanitization Workaround
allImplement strict input validation and sanitization for all data passed to response.links() function
// Example: Sanitize input before response.links()
const sanitizedLinks = sanitizeUserInput(userLinks);
res.links(sanitizedLinks);
Disable Dynamic Link Headers
allRemove or disable dynamic generation of Link headers using user-controlled data
// Remove vulnerable code patterns:
// Instead of: res.links(req.body.userLinks)
// Use static headers or remove functionality
🧯 If You Can't Patch
- Implement strict input validation to filter out characters like ',', ';', '<', '>' from user input before passing to response.links()
- Use Content Security Policy (CSP) headers to restrict resource loading and mitigate potential client-side attacks
🔍 How to Verify
Check if Vulnerable:
Review code for uses of response.links() with user-controlled data. Check if input contains characters like ',', ';', '<', '>' without sanitization.Check Version:
npm list expressVerify Fix Applied:
Test that user input containing malicious characters is properly sanitized before reaching response.links(). Verify Link headers don't contain injected resources.📡 Detection & Monitoring
Log Indicators:
- Unusual Link header patterns in HTTP responses
- Multiple preload requests from single client
- Link headers containing unexpected resource URLs
Network Indicators:
- HTTP responses with unusually long or complex Link headers
- Multiple preload requests for suspicious domains
SIEM Query:
http.response.headers:"Link:*" AND (http.response.headers:"Link:*<*" OR http.response.headers:"Link:*;*")